Microsoft fixes Office Web Components vulnerability, kill-bit bypass

Article

Microsoft fixes Office Web Components vulnerability, kill-bit bypass

Robert Westervelt, News Editor

Microsoft repaired critical Office Web Components vulnerabilities being actively exploited in the wild since they were first acknowledged by the software giant last month.

Microsoft also released an additional critical update to repair ActiveX vulnerabilities in its Active Template Library. The errors enable an attacker to bypass kill-bits, a feature commonly deployed by Microsoft to block attackers from exploiting complex interoperability vulnerabilities without addressing the underlying flaw.

In all, Microsoft issued nine security updates Tuesday, including six rated critical, affecting Windows and Office Web Components.

MS09-043 addresses four

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

vulnerabilities in Microsoft Office Web Components that could be exploited by an attacker to take full control of a victim's machine. Microsoft Web Components allow users to view spreadsheets, charts and databases on the Web.

The vulnerabilities, a memory allocation bug, heap corruption and HTML script errors and a buffer overflow flaw can be exploited remotely. Last month Microsoft issued an advisory warning of active exploitation of the Web Components vulnerabilities. The vulnerabilities are in the Spreadsheet ActiveX Control, which is used by Internet Explorer (IE) to display the data in the browser.

Microsoft also revisited ongoing issues it is having with its Active Template Library (ATL). MS09-037 addresses five errors that could be exploited in drive-by attacks. It allows remote code execution if a user loads a malicious component or control hosted on a website. MS09-037 is a continuation of the two emergency, out-of-band updates issued July 28, addressing flaws in the Active Template Library that affect Internet Explorer and Visual Studio. Ryan Smith, Mark Dowd and David Dewey recently demonstrated successful attacks that bypass the kill-bit mechanism that Microsoft frequently deploys to shut down buggy ActiveX controls.

In an interview with SearchSecurity.com, Dewey of IBM Internet Security Systems, credited by Microsoft for reporting the ATL Uninitialized Object vulnerability, warned developers to consider the update closely. The series of interoperability weaknesses can be found in Web browser controls and plug-ins developed over the last 15 years by multiple vendors using a flawed version of Microsoft Visual Studio. Adobe Systems Inc. and Cisco Systems Inc. each issued advisories related to the ATL issues and other third-party vendors will likely follow.

The researchers found ways to bypass dozens of kill-bits deployed by Microsoft during the last five years, exploiting over 100 ActiveX errors. Dewey said the number of MIcrosoft ActiveX errors could be closer to 1,000.The methods enable the ActiveX controls to run in Internet Explorer despite being blocked via the kill-bit method. Dewey said he expects there to be ongoing ATL updates as Microsoft and other vendors attempt to correct the errors.

"The fix itself is not particularly difficult. In many cases its just a matter of applying the fix to Visual Studio and recompiling the control itself," Dewey said. "Where we're finding that most people are having difficulty is first in locating all of the controls that may exist in their environment."

As many as 10,000 controls are affected by the flaws across the Internet, Dewey said. Large software distributors are affected most by the errors. Trying to enumerate all the different ActiveX controls that they may have developed is a daunting task, he said.

"The next hardest part is creating a new distribution mechanism to update and make sure those patches are pushed out," Dewey said.

Microsoft also addressed two critical vulnerabilities in its remote desktop software. MS09-044 fixes vulnerabilities in Microsoft Remote Desktop Connection that could be exploited remotely by an attacker by tricking a user of Terminal Services to connect to a malicious RDP server or visit a malicious website. Microsoft said the software contains heap and ActiveX heap overflow vulnerabilities.

Two critical vulnerabilities were addressed in Windows Internet Name Service (WINS). MS09-039 addresses heap overflow and integer overflow vulnerabilities in WINS that could be remotely exploited by an attacker. Microsoft said the update is addressed automatically for customers who have WINS installed. WINS is not installed by default on any affected operating system version.

MS09-038 addresses two critical vulnerabilities in Windows Media file processing. An AVI header vulnerability and AVI integer overflow error can be remotely exploited by an attacker by forcing a user to open a malicious AVI file. A successful attack could enable an attacker to take complete control of an affected system, Microsoft said. The update is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

Microsoft also issued four important bulletins. MS09-036 addresses a denial-of-service vulnerability in ASP.NET, the Microsoft framework in Windows. MS09-040 addresses a vulnerability in the Windows Message Queuing Service (MSMQ). < MS09-041 fixes a a href=http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx>memory corruption vulnerability in the Windows Workstation Service. MS09-042 repairs a flaw in the Microsoft Telnet service.

In a statement, Ben Greenbaum, senior research manager at Symantec Security Response, said ActiveX controls was the primary target of this month's Microsoft updates.

"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said. "The potential danger is that many of these vulnerabilities can be exploited by simply getting a user to visit a webpage that contains malicious content."